Last night the DHS ICS-CERT published an updated version of their alert for the Havex Trojan. The update provides a more complete description of the actions of the Havex Remote Access Trojan (RAT), though still not as detailed as the original F-Secure blog post. It does, however, report for the first time a separate operational issue with the Havex RAT:
“It is important to note that ICS-CERT testing has determined that the Havex payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications.”
This would not be expected to be a deliberate design element of the Trojan, but it could serve as an indicator of a potential Havex attack for organizations that do not have operational system logging capabilities.
ICS-CERT Still Restricting Information
ICS-CERT is still restricting information about the known ‘watering hole’ sites to the US-CERT secure portal. I agree with Dale Peterson’s Tweet that this probably slows the community response to this threat vector as only a very limited number of control systems organizations currently have access to this information source. ICS-CERT continues to provide information on how to request access the US-CERT secure portal:
“ICS-CERT encourages US asset owners and operators to join the control systems compartment of the US-CERT secure portal. To request access to the secure portal send your name, email address, and company affiliation to firstname.lastname@example.org.”
This is a very low threshold to pass to gain access to this information. While we can (and should) debate whether or not ICS-CERT should be restricting access to information that the source of the Havex attack already knows (and the F-Secure blog post identifies clearly enough for the attacker to know which compromised sites have been identified), any organization that uses an OPC server in their control system architecture should apply for access to this information.
The update also significantly expands the mitigation measures that organizations can use to limit the activity of the Havex Trojan. There is not anything new here, but this appears to be a pretty good list of actions to take to secure control systems in general. ICS-CERT does not provide any specific indicators of compromise in this alert, but they do provide a link to the F-Secure blog post on this RAT from Monday that does contain some of those indicators.
Presumably more up-to-date indicators are available through the US-CERT secure portal. This is another reason for potential targets to request access to the US Cert Secure Portal.
ICS-CERT continues to request that organizations that know or suspect that they have been compromised by Havex contact ICS-CERT. Any new information that may be provided by users will make the ICS-CERT investigation of this malware more complete.
This would be a very good point in time to have federal legislation in place that would provide safeguards for organizations that wish to share this type of information with ICS-CERT. At a minimum such information sharing activities should be protected to limit liability concerns and restrict what detailed data the government can share with other organizations, both governmental and private sector.
Lacking such specific cybersecurity information sharing protections, anyone submitting detailed information to ICS-CERT should attempt to avail themselves of the protections provided by Protected Critical Infrastructure Information (PCII) program. At an absolute minimum any information submitted to ICS-CERT should specifically include the following PCII Express Statement:
“This information is voluntarily submitted to the Federal Government in expectation of protection from disclosure as provided by the provisions of the Critical Infrastructure Information Act of 2002.”
A better method would be to include the ‘Express and Certification Template’ found in Appendix 5 of the PCII Procedures Manual.